Unfortunately for online businesses, a spike in shopping comes with its own price: fraud. Around the world, fraudsters buy stolen credit card information and use those stolen cards to make online purchases. When the real cardholder finds out, they dispute the payment and are reimbursed by their credit card company. However, unlike their brick-and-mortar counterparts, online businesses are responsible for paying the associated costs, including reimbursements and chargeback fees to the credit card companies.

Estimates vary, but most experts agree that online retailers collectively lose US$30-60 billion dollars every year to fraud.

Stripe processes billions of dollars a year for hundreds of thousands of businesses around the world, all of them online or otherwise internet-enabled. When we looked back at our fraud data for 2016, across hundreds of thousands of businesses globally, we found a few notable patterns, each with its own lesson for online businesses.

Day and time: when fraudsters strike

While the overall volume of fraud is higher on heavy shopping days like Cyber Monday, fraud rates tend to be lower. Instead, the fraud rate as a percentage of overall traffic tends to rise when regular people aren’t shopping as much, such as Christmas Day. The same is true within a given day: Fraud rates peak at quiet hours late at night and dip during the day.

Lesson: To protect against fraudsters working across different geographies and time zones, consider adding extra scrutiny to purchases made outside of normal business hours, either through manual reviews or other more stringent automated filters.

Geography: where fraudsters focus their efforts

Fraud rates also vary by country. In particular, the country where a given card was issued can affect the likelihood that a transaction is legitimate, sometimes altering fraud rates by as much as 300%. For example, cards from Argentina, Brazil, India, Malaysia, Mexico, and Turkey tend to be more fraud-prone than many other countries. But even U.S., Canadian, and French cards are susceptible. Thus, it’s critical not to overcompensate, as fraudulent transactions represent a very small percentage of overall shopping volume.

Lesson: Rather than block all purchases from a given country or region, test different geography-based rules on transactions and ask for more information from all customers (like CVV numbers and full addresses).

While you may expect that fraudsters are buying expensive televisions or jewelry, our data show that most online fraud happens on purchases that are the same size as legitimate transactions. But fraudsters are not making small transactions to “blend in” with normal purchases — their purchases are highly conspicuous in other respects. After a fraudster makes a successful charge on a credit card with a particular merchant, he or she tends to make additional charges with that same merchant very quickly — up to 10 times more quickly than legitimate card holders. Three-quarters of all fraudulent transactions are not the first fraudulent transaction on a given card.

The lesson: Be cautious with many rapid-fire transactions from the same customer. Use automated tools to limit the speed of repeat purchases to a rate that will facilitate legitimate purchases while deterring fraudsters.

While these lessons are applicable to most online businesses, it’s important to realise that each business is unique — and so are its fraud patterns. On the modern internet, the best defense against sophisticated fraudsters is equally modern tooling, such as software that uses machine learning to monitor, adapt, and build new defenses against complex fraud patterns. This ensures businesses are both protected and maximising their revenue throughout the year, not just during the holiday season.